Hi @yen,
If you think you might have found a security problem, next time please follow the instructions in the SECURITY.md document
We are aware of the issues you mention, which are 3rd-party dependencies included in OJS. We review our use of these when they are reported, and ensure that there is no attack surface presenting a risk to our users. When there is, we release a new version with updated (or mitigated) dependencies.
OJS 3.3.0-x is a Long Term Support (LTS) release, which means we commit to maintaining it for security for a period of 3-5 years after it is released. This can prevent us from fully updating dependencies to the latest releases; in that case we look to other approaches such as patching to mitigate any problems that have been reported in the meantime.
tl;dr: these reports do not present attack surfaces in OJS; you’re safe to continue.
However, I note that you’re using OJS 3.3.0-4; that is an old release and I would encourage you to update to either the latest 3.3.0-x (an LTS release) or 3.4.0-x (not an LTS release). For users with limited IT resources, the LTS release is usually the best choice.
Regards,
Alec Smecher
Public Knowledge Project Team